SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Wu-ftpd Vendors:   WU-FTPD Development Group
(SCO Issues Fix) Re: wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007815
SecurityTracker URL:  http://securitytracker.com/id/1007815
CVE Reference:   CVE-2003-0466   (Links to External Site)
Date:  Sep 25 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.0 - 2.6.2
Description:   A buffer overflow vulnerability was reported in wu-ftpd. A remote authenticated user can execute arbitrary code on the system.

iSEC Security Research reported that there is an "off-by-one" overflow in the fb_realpath() function. A remote authenticated user (including an anonymous user with certain write privileges) can create a path of length MAXPATHLEN+1 to overflow a buffer of length MAXPATHLEN and trigger a stack overflow. The path is composed of the current working directory name and a user-specified file name, according to the report.

The flaw can reportedly be triggered using the STOR, RETR, APPE, DELE, MKD, RMD, STOU, and RNTO commands.

The following notification timeline is provided:

June 1, 2003 security@wu-ftpd.org has been notified
June 9, 2003 Request for confirmation of receipt sent to security@wu-ftpd.org
June 11, 2003 Response received from Kent Landfield
July 3, 2003 Request for status update sent
July 19, 2003 vendor-sec list notified
July 31, 2003 Coordinated public disclosure

Impact:   A remote user can execute arbitrary code with root privileges.
Solution:   SCO has issued a fix for OpenServer.

For OpenServer 5.0.7:

Install Maintenance pack 1.

Location of Maintenance pack 1:

ftp://ftp.sco.com/pub/openserver5/osr507mp/

Installing Maintenance pack 1:

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images.

For OpenServer 5.0.6 - 5.0.5:

First, install:

OSS646B - Execution Environment Supplement

Location of Fixed Binaries:

ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.20

Verification:

MD5 (VOL.000.000) = 7cde8ff3cf05658b054dae20f6620bcb

Installing Fixed Binaries:

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to the /tmp directory

2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images.

Vendor URL:  www.wuftpd.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  OpenServer 5.0.5, 5.0.6, and 5.0.7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 31 2003 wu-ftpd Off-by-one Overflow in fb_realpath() May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Full-Disclosure] OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : wu-ftpd fb_realpath() off-by-one bug



To: bugtraq@securityfocus.com announce@lists.caldera.com full-disclosure@lists.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : wu-ftpd fb_realpath() off-by-one bug
Advisory number: 	CSSA-2003-SCO.20
Issue date: 		2003 September 18
Cross reference:	sr882339 fz528115 erg712363
______________________________________________________________________________


1. Problem Description

	 Wu-ftpd FTP server contains remotely exploitable off-by-one
	 bug. A local or remote attacker could exploit this
	 vulnerability to gain root privileges on a vulnerable
	 system. 
	 
	 The Common Vulnerabilities and Exposures project
	 (cve.mitre.org) has assigned the name CAN-2003-0466 to
	 this issue.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5 - 5.0.7	/etc/ftpd

3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.7

	4.1 Install Maintenance pack 1.

	4.2 Location of Maintenance pack 1.

	ftp://ftp.sco.com/pub/openserver5/osr507mp/

	4.3 Installing Maintenance pack 1.

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.

5. OpenServer 5.0.6 - 5.0.5

	5.1 First, install:

		OSS646B - Execution Environment Supplement

	5.2 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.20

	5.3 Verification

	MD5 (VOL.000.000) = 7cde8ff3cf05658b054dae20f6620bcb

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.4 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.


6. References

	Specific references for this advisory:
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 
		http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt 
		http://www.ciac.org/ciac/bulletins/n-132.shtml

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr882339 fz528115
	erg712363.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	 SCO would like to thank Wojciech Purczynski and Janusz
	 Niewiadomski for the advisory.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/bzTsaqoBO7ipriERAidHAJ4wpBW9J3GCPEwn6Mak9t5+XAZAwgCghQSs
q7S5CxTJrBp2c0KqG+NM+Zw=
=4pz6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC